Cyber Threat Brief — May 29 2026
⚠️ This report is AI-generated. Always validate findings.
1. NGINX Rift Heap Buffer Overflow — CVE-2026-42945
TL;DR: CVSS 9.2 unauthenticated RCE in NGINX’s rewrite module exploited ITW since May 16. Chains with CVE-2026-31431 (Copy Fail) or CVE-2026-43284 (Dirty Frag) for internet-to-root with no auth, no races, no user interaction.
What’s New:
- Heap overflow in
ngx_http_script_regex_end_code: length pass usesis_args=0(raw count), copy pass usesis_args=1(URI-escaped) — write overruns allocation when rewrite uses unnamed PCRE capture +?in replacement - VulnCheck canaries detected ITW exploitation starting May 16 (3 days post-disclosure/PoC)
- Public PoC at
github.com/DepthFirstDisclosures/Nginx-Rift - 5.7M internet-exposed NGINX instances potentially vulnerable; exploitable subset requires specific rewrite config (common in WordPress nginx configs)
- Affects NGINX 0.6.27–1.30.0, Plus R32–R36, Ingress Controller, Gateway Fabric, App Protect; patched in 1.30.1/1.31.0
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
HTTP requests with long +/%/& sequences targeting rewrite endpoints | Exploit pattern | T1190 | WAF / access logs | Create WAF rule for abnormal URI encoding density in rewrite-matched paths |
NGINX worker crash loops (segfault in ngx_http_script_regex_end_code) | Exploitation indicator | T1499.004 | error.log / syslog | Alert on repeated worker segfaults; correlate with access log timestamps |
| NGINX versions 0.6.27–1.30.0 with unnamed PCRE captures in rewrite rules | Vulnerable config | T1190 | Asset inventory | Audit nginx.conf for rewrite ... $1 ... ? patterns; upgrade to 1.30.1+ |
| Chain: NGINX RCE → Copy Fail (CVE-2026-31431) or Dirty Frag (CVE-2026-43284) → root | Kill chain | T1068 | EDR / kernel logs | Hunt for post-exploitation LPE following nginx worker compromise |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No NGINX Rift-specific rule; need custom SPL for worker segfault pattern + abnormal URI encoding in access logs |
| Elastic | None | No specific rule; Web Application Suspicious Activity (generic) may partial-match |
| Sigma | None | No community rule yet; create rule for nginx error.log signal 11 + correlated HTTP 400/500 spike |
Sources: The Hacker News · Help Net Security · Security Boulevard (chain analysis) · PoC · F5 Advisory
2. Malware-Slop: npm Package Targets Claude AI User Directories
TL;DR: AI-generated malicious npm package mouse5212-super-formatter exfiltrates all files from Claude’s /mnt/user-data directory to attacker-controlled GitHub repos. Low sophistication (attacker leaked own GitHub token) but novel targeting of AI developer tool data stores.
What’s New:
- Package published May 26, 676 downloads before detection; presents as “archive deployment sync” utility
- Walks
/mnt/user-datarecursively, base64-encodes files, uploads via GitHub Contents API using hardcoded fallback token - Attacker’s GitHub account created hours before first malicious version — AI-generated code leaked private GitHub token (OX Security codename: Malware-Slop)
- Targets Anthropic Claude’s dedicated upload/output handling directory, harvesting user-uploaded documents, session data, and tool outputs
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
mouse5212-super-formatter (npm) | Malicious package | T1195.002 | SBOM / package audit | Block in registry; audit package-lock.json |
GitHub API calls from /mnt/user-data context | Exfil behavior | T1567.001 | Network / EDR | Alert on GitHub Contents API PUT from non-git processes |
Recursive file enumeration of /mnt/user-data | Collection | T1005 | EDR / file access logs | Monitor access to Claude data directories from npm/node processes |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for npm package exfiltration via GitHub API |
| Elastic | None | No specific rule; Suspicious Network Connection via Node.js (partial) |
| Sigma | None | Need rule for node process accessing AI tool data directories + GitHub API exfil |
Sources: The Hacker News · OX Security · The Register
Status Updates
- CVE-2026-48172 (LiteSpeed cPanel Plugin): CISA KEV federal deadline TODAY May 29. Mass automated exploitation ongoing. Upgrade to 2.4.5+. Original brief.
- CVE-2026-42897 (Exchange OWA XSS zero-day): Federal deadline TODAY May 29. No permanent patch (expected June 10). Apply EM mitigation or manual IIS rewrite rule. Original brief.
- CVE-2026-41091/CVE-2026-45498 (Defender RedSun/UnDefend): Patched May 19-21; CISA KEV deadline June 3. Chained ITW by Huntress. Update Defender Engine ≥1.1.26040.8 and Platform ≥4.18.26040.7. Original brief.
- CVE-2026-45321/CVE-2026-48027/CVE-2026-8398 (TanStack/Nx Console/DAEMON Tools supply chain): CISA KEV deadline June 17. Audit developer workstations for persistence artifacts. Original brief.